HIPAA privacy and security

The mission of the East Texas Medical Center Regional Healthcare System (ETMC) is to continuously strive to bring an unmatched Spirit of Excellence to the art and science of health care. We measure our success by how our efforts improve the quality of life for people and communities in East Texas. Part of our commitment has always included the protection of our patients’ personal health information.

The Health Insurance Portability and Accountability Act, also known as HIPAA, provides federal regulations for the privacy and security of patients’ health information. HIPAA legislation includes two major provisions that govern the safeguarding of patient information: The HIPAA Privacy regulations which were effective on April 14, 2003 and the HIPAA Security regulations which were effective April 21, 2005. The ETMC Regional Healthcare System is committed to meeting or surpassing the standards set forth in these regulations. This white paper was developed for the benefit of our patients to aid in the understanding of this important legislation.

Privacy Rule HIPAA represents the first-ever federal privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services (HHS), these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed.

HIPAA includes provisions designed to encourage electronic transactions, but also requires safeguards to protect the security and confidentiality of health information. Most hospitals, health insurers, pharmacies, doctors and other health care providers are required to comply with these federal standards.

Patient Protections The privacy regulations ensure a national standard of privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients’ personal medical information. The regulations protect medical records and other individually identifiable health information, whether on paper, in computers or communicated orally. Key provisions of the HIPAA Privacy standard include:

Access to Medical Records. Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors or mistakes. Health plans, doctors, hospitals, clinics, nursing homes and other covered entities generally should provide access to these records within 30 days, and may charge patients for the cost of copying and sending the records.

Notice of Privacy Practices. Covered hospitals, health plans, doctors and other health care providers must provide a notice to their patients about how their personal medical information may be used. Further, this notice will inform patients of their rights under the privacy regulation. Doctors, hospitals and other direct-care providers generally will provide the notice on the patient’s first visit following the April 14, 2003 compliance date and upon request. Patients generally will be asked to sign, initial or otherwise acknowledge that they received this notice. Patients may ask covered entities to restrict the use or disclosure of their information beyond the practices included in the notice, but the covered entities do not have to agree to the changes. ETMC’s Notice of Privacy Practices may be found at www.etmc.org.

Limitations on Marketing. The privacy rule sets restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual’s specific authorization before disclosing patient information for marketing. At the same time, the rule permits doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

Confidential Communications. Under the privacy rule, patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications are confidential. For example, a patient could ask a doctor to call his or her office rather than home, and the doctor’s office should comply with that request if it can be reasonably accommodated.

Complaints. Patients may file a formal complaint regarding the privacy practices of a covered health plan or provider. Such complaints can be made directly to the covered provider or health plan or to HHS’ Office for Civil Rights (OCR), which is charged with investigating complaints and enforcing the privacy regulation. Information about filing complaints should be included in each covered entity’s notice of privacy practices. Patients can find out more information about filing a privacy-related complaint by contacting:

ETMC’s Privacy Office 903-596-3388

ETMC’s toll-free hotline, where the caller can choose to remain anonymous 800-688-3144

Providers’ Responsibilities The privacy rule requires health plans, pharmacies, doctors and other covered entities to establish policies and procedures to protect the confidentiality of their patients’ protected health information. These requirements are flexible and scalable to allow different covered entities to implement them as appropriate for their businesses and practices. Hospital and other covered entities must provide the protections for patients cited above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required under the rule. In addition, covered entities must take some additional steps to protect patient privacy:

Written Privacy Procedures. The rule requires covered entities to have written privacy procedures that describe how and when protected health information may be disclosed, and the identification of the types of employees that have access to protected information. Covered entities generally must take steps to ensure that any business associates who have access to protected information agree to the same limitations on the use and disclosure of that information.

Employee Training and Privacy Officer. Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed. If covered entities learn that an employee failed to follow these procedures, they must take appropriate disciplinary action.

Public Responsibilities. In limited circumstances, the final rule permits covered entities to disclose health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of a deceased person, or the cause of death; public health needs; research that involves limited data or has been independently approved by an Institutional Review Board or privacy board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgment to decide whether to make such disclosures based on their own policies and ethical principles.

Equivalent Requirements for Government. The provisions of the final rule generally apply equally to private sector and public sector covered entities. For example, private hospitals and government-run hospitals covered by the rule have to comply with the full range of requirements.

Civil and Criminal Penalties. Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties may apply for certain actions such as knowingly using protected health information in violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.

Security RuleThe HIPAA Security Rule identifies standards and implementation specifications for information security that health care providers must meet in order to become compliant. All health care providers (except small health plans) that access, store, maintain or transmit patient-identifiable information are required by law to meet the HIPAA Security Standards by April 21, 2005.

Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.

Ensure compliance by the workforce.

The security standards were designed to provide guidelines to all types of covered entities, while affording them flexibility in how to implement the standards. Covered entities may use appropriate security measures that enable them to reasonably implement a standard. In deciding which security measures to use, a covered entity will take into account its size, capabilities, the costs of the specific security measures and the operational impact.

Over the last few years, the emergence of new technologies has driven many health care initiatives. With technology improvements and rapid growth in the health care industry, the need for flexible, technology-neutral standards is critical to successful implementation. The rule does not prescribe the use of specific technologies, so the health care community is not bound by specific systems and/or software that may become obsolete. HHS also recognizes that the security needs of covered entities can vary significantly. This flexibility within the rule enables each entity to choose technologies to best meet its specific needs and comply with the standards.

The security standards are divided into three main categories:

Administrative safeguards: These are the administrative functions that should be implemented to meet the security standards. They include assignment or delegation of security responsibility to an individual and security training requirements for health care employees.

Physical safeguards: These are the mechanisms required to protect electronic systems, equipment and the data they hold from threats, environmental hazards and unauthorized intrusion. They include restricting access to ePHI, retaining off site computer backups and disaster recovery procedures.

Technical safeguards: These are the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted.

In addition to these safeguards, the Security Rule also contains several standards and implementation specifications that address organizational requirements, as well as policies and procedures and documentation requirements.

The Security Rule distinguishes between implementation specifications that are required and those that are addressable. In some cases, a covered entity may choose not to implement an addressable specification at all if it can demonstrate that both the specification and alternative measures are not reasonable or appropriate. This approach allows considerable flexibility for covered entities seeking to comply with the security rule, but it also imposes significant responsibility on the covered entity to accurately assess and manage its security risks.

The privacy and security of patients’ healthcare information is an on-going, dynamic process that will continue to evolve as covered entities’ organizations and technologies change. For additional information about the HIPAA regulations, see the HHS web site at: http://www.hhs.gov/ocr/hipaa.